AgentReadyHomeAgent Listing

← skill-reviewer

skill-reviewer — agentic threat model

9.2AIVSS 9.2 · Critical

The skill-reviewer agent poses a significant supply chain risk due to its repository-mutating capabilities (forking, editing, and submitting PRs). If compromised or manipulated via prompt injection, it could be weaponized to inject malicious code directly into downstream agent repositories.

OWASP AIVSS score rationale

AIVSS = (CVSS_Base + AARS) × Mitigation_Factor, where AARS = (10 − CVSS_Base) × (Factor_Sum / 10) × ThM
CVSS base 8.2AARS uplift 0.95Factor sum 5.3/10Threat ×1.0Mitigation ×1.0
Autonomy of Action
0.80
Goal-Driven Planning
0.70
Self-Modification
0.30
Dynamic Tool Use
0.80
Persistent Memory
0.20
Contextual Awareness
0.60
Dynamic Identity
0.70
Multi-Agent Interactions
0.10
Non-Determinism
0.60
Opacity & Reflexivity
0.50

Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.

MAESTRO 7-layer threat model

Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.

L1 · Foundation Models⚠ not certain from listing

Not certain from the listing — likely relies on commercial or open-source LLMs for code analysis and generation. Key threats include prompt injection via malicious skill files that trick the model into generating backdoored code or bypassing best-practice checks.

L2 · Data Operations⚠ not certain from listing

Not certain from the listing — ingests skill files and official best-practice guidelines. Threats include data poisoning of the reference guidelines to lower security standards, or malicious input files designed to cause denial of service or context leakage.

L3 · Agent Frameworks✓ mapped

The agent orchestrates a multi-step workflow (fork, edit, PR). Vulnerabilities in the orchestration framework could allow tool misuse, such as manipulating the git tool to target unauthorized repositories or execute arbitrary local commands.

L4 · Deployment & Infrastructure⚠ not certain from listing

Not certain from the listing — requires execution environment with network access to GitHub. Threats include exposure of GitHub API tokens stored in the environment and lack of container sandboxing during code modification.

L5 · Evaluation & Observability⚠ not certain from listing

Not certain from the listing — no built-in guardrails or observability features are described. This creates a blind spot where malicious or broken code modifications could be pushed to PRs without triggering security alerts.

L6 · Security & Compliance (cross-cutting)✓ mapped

The agent handles sensitive repository-mutating credentials (e.g., GitHub personal access tokens). Lack of fine-grained scoping (e.g., write access to all repos instead of just the target fork) presents a major authorization and compliance risk.

L7 · Agent Ecosystem✓ mapped

As a community tool designed to review and modify other agent skills, a compromise of this agent creates a cascading ecosystem threat, potentially introducing vulnerabilities into numerous downstream agent marketplaces.

MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).